Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

The file globbing (matching filenames against patterns such as "*.bak")
routines in the glibc exhibits an error that results in a heap corruption
and that may allow a remote attacker to execute arbitrary commands from
processes that take globbing strings from user input.
Tom Parker, Global InterSec LLC, addressed SuSE Security and illustrated
an attack scenario against the BSD-derived ftp daemon that is installed
as /usr/sbin/in.ftpd in SuSE Linux distributions. The said in.ftpd should
not be confused with the Washington University ftp daemon (wu-ftpd) that
comes installed as /usr/sbin/wu.ftpd in SuSE Linux and uses its own
globbing functions.

Since the attack against in.ftpd is based on a heap corruption in glibc,
the proper solution for the error is to exchange the responsible code in
the glibc globbing functions. It should be expected that other network
service daemons that accept user-supplied globbing strings such as rsyncd
can be exploited with this glibc globbing error. There is no satisfactory
workaround against the problem other than updating the glibc libraries
with a fixed version. We provide update packages for this purpose.

Users of the SuSE Linux 6.3 distribution should upgrade their systems
to a newer product since security update support for SuSE Linux 6.3
has been discontinued two years after the release.

Notes, Special installation instructions:

* If you use YOU (Yast2 Online Update), the necessary update packages
will be selected automatically. Please consider reading the
PRECAUTIONS and the AFTERCARE paragraph below. A standalone desktop
installation should not face any problems with the update as long
as the system is not loaded during the update process.

* The glibc package consists of one source RPM package and multiple
binary RPM (sub-) packages. In order to resolve the errors in the
globbing functions, the source RPM package as well as the
documentation subpackages do not need to be installed. In fact,
you only need to install the updates for packages that you have
installed already on your system.
The different subpackages contain:
++ shared libraries
+ static libraries and header files
+ profiling and debugging versions of glibc
- timezone description files (package timezone)
- internationalization files (i18n)
- two documentation packages
The packages marked with "+" are necessary to update if they are
installed on your system. The source RPM does not need to be installed
unless you want to compile your own glibc binaries.

Find out which of the four packages are installed on your system
according to the package names in the table. Use the command
rpm -q name_of_package
to query the package database for each name.
If you have your package list, download the packages that you need
from the URLs as listed below. Verify their integrity and authenticity
following the guidelines as described in section 3) of this security
announcement.

* PRECAUTIONS
The shared libraries package of the glibc is the most sensitive
part of a running Linux system, and modifications to it should be
handled with special care. During the update of the shlibs/glibc
package, runtime-linking the shared libraries is likely to fail for
processes that execute a new binary with the execve(2) system call.
Therefore, we recommend to bring a system to single user mode
("init S") to perform the package update. If this is not applicable
for operational reasons, a system receiving the update should be kept
as quiet as possible (no shell scripts of any kind, no cron jobs, no
incoming email).

* Update the shared libraries package first using the command
rpm -Uhv <name-of-package.rpm>
The execution of this command must not be interrupted!
Then use the same command ("rpm -Uhv ...") to update the other
packages. The update of these packages is not critical.

* AFTERCARE
After performing the update, you should run the following command
on your system:
/sbin/ldconfig
ldconfig will rebuild the runtime linker cache. If you use YOU
(Yast2 Online Update), the ldconfig command will be executed
automatically at the end of the update.

The shared libraries that were installed on the system before the
update have been removed from the filesystem, but they are still
in use by the running applications. Therefore, the diskspace as well
as the memory will not be freed until the last process that uses
these files exits. We recommend to reboot the system to workaround
this problem.

- /bin/login vulnerabilities
A buffer overflow vulnerability has been reported for System V derived
implementations of the login program while it copies environment variables
from the login prompt to the user's future environment. SuSE Linux
distributions are unaffected by this problem. The login programs in
SuSE Linux distributions before and including SuSE Linux 6.1 contain
the environment copying feature. Versions shipped after (and including)
SuSE Linux 6.2 use PAM (Pluggable Authentication Module) routines for
logini- and password prompting. The PAM routines do not support
environment passing.

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SuSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.